Information Security

II.C.11 End-of-Life Management

Management should plan for a system's life cycle, eventual end of life, and any corresponding security and business impacts. The institution's strategy should incorporate planned changes to systems, including an evaluation of the current environment to identify potential vulnerabilities, upgrade opportunities, or new defense layers. Also included in this strategy should be considerations for the support provided by third-party system vendors and the risks related to operating unsupported legacy systems. Management should have policies to manage both the hardware and software life cycles. Security risks related to reaching a system's end of life include (a) the increased potential for vulnerabilities because the third party no longer provides patches or support, (b) incompatibility with other systems in the institution's environment, and (c) limitations in security features in older or obsolete systems.

Effective end-of-life management should include the following:

Maintaining inventories of systems and applications.

Adhering to an approved end-of-life or sunset policy for older systems.

Tracking changes made to the systems and applications, availability of updates, and the planned end of support by the vendor.

Conducting risk assessments on systems and applications to help determine end-of-life.

Planning for the replacement of systems nearing obsolescence and complying with policy requirements for implementing new systems or applications.

Developing specific procedures for the secure destruction or data wiping of hard drives returned to vendors or donated, to prevent the inadvertent disclosure of sensitive information.

If an end-of-life system or application must remain in use, management should ensure appropriate mitigating controls are in place, which may include segregating the system or application from the network. Management should also have a plan to replace the system or application and implement compensating controls until replacement. Strategies for replacing and updating hardware and software should incorporate and align with overall information security and business strategies as appropriate.